CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2026/04/08 2:45 p.m.•4 views

BIT-DISCOURSE-2026-34947 Discourse: Staged user custom fields are exposed on public invite pages

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3,and 2026.2.0 to before 2026.2.2, staged user custom fields and username are exposed on public invite pages without email verification. This issue has been patched in versions 2026.1.3 and 2026.2.2...

6.9CVSS5.7AI score0.00211EPSS

OSV•added 2026/04/07 8:44 a.m.•3 views

BIT-DISCOURSE-2026-33073 discourse-subscriptions plugin leaking stripe API key in multisite environment

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, the discourse-subscriptions plugin leaks stripe API keys across sites in a multisite cluster resulting in the potential for stripe related information to be leaked across...

5.3CVSS5.7AI score0.00175EPSS

Exploits0References3

OSV•added 2026/04/07 8:43 a.m.•5 views

BIT-DISCOURSE-2026-32143 Discourse: Admin-only report can be exported by moderators

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, moderators could export CSV data for admin-restricted reports, bypassing the report visibility restrictions. This could expose sensitive operational data intended only for...

6.5CVSS5.7AI score0.00234EPSS

Exploits0References3

NVD•added 2026/04/03 10:16 p.m.•7 views

CVE-2026-34947

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, staged user custom fields and username are exposed on public invite pages without email verification. This issue has been...

6.9CVSS0.00211EPSS

Cvelist•added 2026/04/03 9:27 p.m.•21 views

CVE-2026-34947 Discourse: Staged user custom fields are exposed on public invite pages

6.9CVSS0.00211EPSS

Positive Technologies•added 2026/04/03 12:0 a.m.•4 views

PT-2026-30244

6.9CVSS5.8AI score0.00211EPSS

Exploits0References3

CNNVD•added 2026/04/03 12:0 a.m.•5 views

Discourse 信息泄露漏洞

Discourse is an open-source community discussion platform developed by Discourse. This platform includes features such as communities, email communication, and chat rooms. Versions of Discourse prior to 2026.1.3, 2026.2.2, and 2026.3.0 contained a vulnerability related to information leakage. Thi...

6.9CVSS5.8AI score0.00211EPSS

RedhatCVE•added 2026/04/01 11:0 p.m.•2 views

CVE-2026-32620

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, non-staff users could access read receipt information for staff-only posts they weren't supposed to see. No post content w...

RedhatCVE•added 2026/04/01 11:0 p.m.•4 views

CVE-2026-32143

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, moderators could export CSV data for admin-restricted reports, bypassing the report visibility restrictions. This could...

6.5CVSS5.8AI score0.00234EPSS

RedhatCVE•added 2026/04/01 11:0 p.m.•3 views

CVE-2026-32273

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, updating a category description via API is not sanitizing the description string, which can lead to XSS attacks. This issu...

5.4CVSS5.8AI score0.00167EPSS

NVD•added 2026/03/31 6:16 p.m.•2 views

CVE-2026-33415

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authenticated moderator-level user could retrieve post content, topic titles, and usernames from categories they were n...

5.1CVSS0.00188EPSS

ATTACKERKB•added 2026/03/31 5:42 p.m.•2 views

CVE-2026-33300

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass in the Category Chatables Controller show action allowed moderators to get information on hidden...

5.3CVSS5.8AI score0.00234EPSS

Exploits0References3Affected Software1

Vulnrichment•added 2026/03/31 5:41 p.m.•1 views

CVE-2026-33185 Discourse: Group SMTP test endpoint susceptible to SSRF

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the group email settings test endpoint could be used to make the server initiate outbound connections to arbitrary hosts a...

5.3CVSS5.8AI score0.0018EPSS

ATTACKERKB•added 2026/03/31 5:41 p.m.•0 views

CVE-2026-32620

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, non-staff users could access read receipt information for staff-only posts they weren't supposed to see. No post content w...

Exploits0References3Affected Software1

CVE•added 2026/03/31 5:41 p.m.•11 views

CVE-2026-32620

Summary: CVE-2026-32620 affects Discourse. From 2026.1.0-latest up to before 2026.1.3, 2026.2.0-latest up to before 2026.2.2, and 2026.3.0-latest up to before 2026.3.0, non-staff users could access read receipt metadata for staff-only posts they were not supposed to see. No post content was expos...

Exploits0References2Affected Software1

OSV•added 2026/03/31 5:41 p.m.•4 views

CVE-2026-32620 Discourse: Missing post-level authorization allows whisper metadata disclosure

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, non-staff users could access read receipt information for staff-only posts they weren't supposed to see. No post content w...

Vulnrichment•added 2026/03/31 5:40 p.m.•3 views

Exploits0References4

CVE-2026-32618 Discourse: Unauthorized channel membership inference via excluded_memberships_channel_id

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, there is possible channel membership inference from chat user search without authorization. This issue has been patched in...

4.3CVSS5.8AI score0.00201EPSS

EUVD•added 2026/03/31 5:40 p.m.•11 views

EUVD-2026-17557

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, users who lost access to a topic e.g., removed from a private category group could still interact with polls in that topic...

6.3CVSS5.8AI score0.0016EPSS

EUVD•added 2026/03/31 5:40 p.m.•4 views

EUVD-2026-17553

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, category group moderators could perform privileged actions on topics inside private categories they did not have read acce...

5.3CVSS5.8AI score0.00153EPSS